We are truly living in interesting times, and while I sometimes prefer to be boring, I think that the increasing interest in authorization is definitively a good sign. Recent discussions on the OAuth Charter for the IETF WG, and Martin Kuppinger’s article on Authorization Management are good indicators that the community is moving towards new approaches for distributed authorization.
While XACML has solved many of the problems that may arise from a technical perspective, it is fairly heavy-weight and in its current form not particularly appealing to the large number of RESTafarians. Also, as Martin is pointing out in his articles, what seems to missing is a framework comprising business rules and policy management for “multi-layer authorization” models. Nevertheless, with the recent addition of XACML to the HITSP IS01[1] and the XSPA XACML 2.0 profile for healthcare will likely raise the visibility for XACML beyond its core community.
At this point, privacy protection concerns (as also voiced in XACML core) will play a major role, especially when considering the sensitivity of HC related information. As such any authentication management framework must either address these privacy protection issues, or be open enough to interface with emerging technologies such as CARML et al. from the IGF.
tags: authorization xacml oauth hitsp carml igf privacy
[1] Along with SAML 2.0, WS-Federation, and WS-Trust…